KDC cert has no DNSName entry in subject alternative name. The problem is caused by a combination of three bugs:
krbinstance
certmonger.request_and_wait_for_cert()
dns=self.fqdn
dns=[self.fqdn]
KDCs_PKINIT_Certs
commonNameToSANDefaultImpl
openssl x509 -text -in /var/kerberos/krb5kdc/kdc.crt
Certificate: Data: Version: 3 (0x2) Serial Number: 10 (0xa) Signature Algorithm: sha256WithRSAEncryption Issuer: O = IPA23.TEST, CN = Certificate Authority Validity Not Before: Jan 29 07:33:42 2021 GMT Not After : Jan 30 07:33:42 2023 GMT Subject: O = IPA23.TEST, CN = server.ipa23.test ... X509v3 extensions: ... X509v3 Subject Alternative Name: othername:<unsupported>, othername:<unsupported>
X509v3 extensions: ... X509v3 Subject Alternative Name: DNS:server.ipa23.test, othername:<unsupported>, othername:<unsupported>
freeipa-server-4.10.0.dev202101260524+git30f82e2c8d-0.fc33
Metadata Update from @cheimes: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/5495
master:
ipa-4-9:
ipa-4-8:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.